While upgrading the license for failover units, it is not possible to
avoid the network downtime. However, the downtime can be minimized. This
document focuses on how to minimize the downtime during the upgrade of license
in failover pair.

By default, the license on the PIX will be 'Restricted'(®). A new
activation key is required in order to upgrade from a 'Restricted' software
bundle to a bundle which supports additional features such as more number of
connections, Failover, IPSec or additional interfaces. Also, a new activation
key is sometimes necessary after a Flash upgrade on a PIX.

In order to request an activation key, send an email to
licensing@cisco.com providing the serial
number of PIX (or if you are upgrading the flash, provide the serial
number of Flash Card) and the output of the show version
command. Go to the
Cisco ASA 3DES/AES License Registration
(registered customers only)
page to
request an AES/3DES activation key.

Note: If you receive the ERROR: Failed to update flash
activation key error, which is due to a problem in the
activation key, request a new activation key to resolve this error.

The following show version command sample shows the
serial number and the activation key for the security appliance.

Use the following procedure if your new license does not require you to
reload. This procedure ensures that there is no downtime.

Disable failover on the active unit using the no
failover command on the active unit. The standby unit remains in
a pseudo-standby state. Deactivating failover on the active unit prevents the
standby unit from attempting to become active during the period when the
licenses do not match.

Install the new license on the active unit using the
activation-key key command on the active unit. Make
sure this license is for the active unit serial number.

Install the new license on the standby unit using the
activation-key key command on the standby unit. Make
sure this license is for the standby unit serial number.

Turn failover back on in the active unit using the
failover command. This completes the
procedure.

Note: Before you upgrade the license, make sure both units are
operating correctly, the Failover LAN interface is up, and there is not an
imminent failover event; for example, monitored interfaces are operating
normally. On each unit, enter the show failover
command. Or, in ASDM go to Monitoring > Properties
> Failover > Status to view the failover status and the
monitored interface status.

Use the following procedure using ASDM if your new license does not
require you to reload. This procedure ensures that there is no
downtime.

On the active unit, choose Configuration
> Device Management > High Availability > Failover >
Setup, and uncheck the Enable Failover check box. Now
click Apply. The standby unit remains in a pseudo-standby
state. Deactivating failover on the active unit prevents the standby unit from
attempting to become active during the period when the licenses do not match.

Use the following procedure if your new license requires you to reload.
Reloading the failover pair causes a loss of connectivity during the reload.

Disable failover on the active unit using the no
failover command on the active unit. The standby unit remains in
a pseudo-standby state. Deactivating failover on the active unit prevents the
standby unit from attempting to become active during the period when the
licenses do not match.

Install the new license on the active unit using the
activation-key key command on the active unit. Make
sure this license is for the active unit serial number.

Note: If you need to reload, you will see this message:
WARNING: The running activation key was not updated with the
requested key. The flash activation key was updated with the requested key, and
will become active after the next reload.

Install the new license on the standby unit using the
activation-key key command on the standby unit. Make
sure this license is for the standby unit serial number.

Reload the standby unit using the reload
command.

Reloads the active unit. When you are prompted to save the
configuration before reloading, answer No. This means that
when the active unit comes back up, failover will still be enabled. This
completes the procedure.

Note: Before you upgrade the license, be sure that both units are
operating correctly, the Failover LAN interface is up, and there is not an
imminent failover event; for example, monitored interfaces are operating
normally. On each unit, enter the show failover
command. Or, in ASDM, go to Monitoring > Properties
> Failover > Status to view the failover status and the
monitored interface status.

Use the following procedure using ASDM if your new license requires you
to reload. Reloading the failover pair causes a loss of connectivity during the
reload.

On the active unit, choose Configuration
> Device Management > High Availability > Failover >
Setup, and uncheck the Enable Failover check box. Now
click Apply. The standby unit remains in a pseudo-standby
state. Deactivating failover on the active unit prevents the standby unit from
attempting to become active during the period when the licenses do not match.